I have seen this pattern that allows web pages to interact with local system resources through a HTTP interface and I have a couple questions about it:
- What is this pattern called?
- What recommendations exist for implementing this pattern?
- What are the security implications?
Basically, the requirement is to access a local resource on the users machine, such as a USB device. The pattern is as follows:
- The user is prompted to download an executable.
- The executable exposes a service on http://localhost:port.
- The controlling web page handles the UI/UX and communicates with the service through http.
The Bose update service is one example. Navigate to https://btu.bose.com and you are prompted to download and install the Bose updater.
The page begins polling localhost and receiving a timeout error. After installation, the connection succeeds and the page changes:
Here is one of the URLs and the response:
http://localhost:49312/updater/getUpdaterVersion?callback=BoseUpdater.remoteCallback&token=T187369b21bf6 BoseUpdater.remoteCallback("T187369b21bf6",{"version" : "3.0.1.1891"},0); 
